Cyber Incident Victim: Iddink Group
Date:
Apr 2024
Location:
Netherlands
Summary
A cyberattack by the Cactus group targeted Iddink Learning Materials, compromising systems containing personal data of students, parents, and associated schools, including names, addresses, contact details, birthdates, and bank information. The breach impacted approximately 300,000 learners and 300 educational institutions across the Netherlands, Belgium, and Spain. The company isolated affected systems, engaged external cybersecurity experts, notified law enforcement and data protection authorities, and advised vigilance against phishing. While operational disruptions occurred, the Magister learning management system remained unaffected. Iddink confirmed no ransom negotiations and is monitoring dark web activity for potential data exposure while investigating the incident's scope.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On Thursday, April 11, 2024, Iddink Learning Materials BV, a major Dutch supplier of schoolbooks and digital learning materials serving over 300 schools and 300,000 students across the Netherlands, Belgium, and Spain, suffered a cyberattack attributed to the criminal group Cactus. The attack targeted Iddink’s order and delivery systems, compromising databases containing personal information of students, parents, and schools. Affected data included names, birthdates, addresses, email addresses, phone numbers, school contact details, invoices, bank account numbers, and archived emails from individuals and institutions. The breach impacted all schools using Iddink’s ELF-, GLF-, and ILF-service platforms, with specific institutions like the Casparaus College and Vechtstede College notifying parents directly about the incident. Iddink’s internal IT security team detected the intrusion on April 11, prompting immediate containment measures, including isolating affected systems, activating an internal task force, and engaging external cybersecurity experts to assist with the investigation and mitigation efforts.
The company notified the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and law enforcement, with the latter opening a parallel investigation. Iddink confirmed no ransom negotiations occurred with Cactus and emphasized it would not pay any demands. While the attack disrupted Iddink’s internal order systems, its digital learning platforms—including the Magister student tracking system—remained operational due to separation from compromised infrastructure. Iddink clarified that passwords created or updated after April 13, 2021, were stored securely in an unaffected environment using irreversible cryptographic hashing, reducing immediate credential risks. However, the company advised vigilance against phishing attempts exploiting stolen personal data and monitored dark web activity for leaked information, though none had surfaced at the time of reporting. Schools bore primary responsibility for notifying affected parents and students, causing delays due to the scale of impacted individuals. Iddink maintained public updates via a dedicated blog, addressing concerns about system continuity, password management, and international scope while working with partners like Kennisnet and Stichting SEM to coordinate incident response. The full extent of the data breach remained under investigation as of the latest updates on April 14, with Iddink committing to evaluate root causes post-recovery to prevent future incidents.